Slashdot Mirror
Top Botnets Control Some 1 Million Hijacked Computers
Puskas writes "Joe Stewart is the director of malware research at SecureWorks, and presented a dire view of the current botnet landscape at the RSA conference this week. He conducted a survey of the top spamming 'nets, extrapolating their size from the volume of emails that flow across the internet. By his calculations, the top 11 networks control just over a million machines, hitting inboxes with some 100 billion messages a day. 'The botnet at the top of the chart is Srizbi. According to Stewart, this botnet — which also goes by the names "Cbeplay" and "Exchanger" — has an estimated 315,000 bots and can blast out 60 billion messages a day.
While it may not have gotten the publicity that Storm has during the last year, it's built around a much more substantial collection of hijacked computers, said Stewart. In comparison, Storm's botnet counts just 85,000 machines, only 35,000 of which are set up to send spam. Storm, in fact, is No. 5 on Stewart's list.'"
Start with "microsoft" and "windows" as the technologies which bring you the largest, most profitable botnets!
you had me at #!
The truth is that Macs are completely impervious to anything other than the will of Steve Jobs, and that you are a douchebag.
Accept it!
I'm a smart software developer, so I'm pretty sure my computer is not affected (secured hardware firewall, etc). But how can I be sure?
I don't necessarily trust that a clean-virus scan means a whole lot.
What's the best way to make this determination?
Using Windows is a privilege, not a right. Anybody found to have a zombied computer should have their Internet connection cut off immediately and it should only be restored when they can demonstrate that they have removed the offending operating system and either installed a free and secure alternative, or bought a Mac. They clearly do not have the training or inclination to operate Windows safely.
They obviously don't have a problem with tracking down and monitoring people. And they apperantly have bandwidth issue. Why don't they basically mail merge to SELECT * FROM `customers` WHERE `customers`.isinfected? Simple, cheap snail mail... nothing fancy.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
No, you cannot trust that your computer is clean even if you run anti-virus software and firewall.
Use Linux, thats what I do.
I switched from Windows XP to Ubuntu, and I am happy with it.
Happy and secure.
and there's still no spam in my inbox. How's that, blackhats? For a short period in your life you'll know what organized crime does to people who don't deliver. Good riddance and fuck you!
God knows I installed on that notebook each and every Anti-Spyware, Antivirus, Anti-everything in order to get rid of it. I traveled each and every "advisory" site with my HijackThis logs, removed numerous keys from registry. Still, every now and then goddamn popup window with site "pc-on-internet.com" appears. I spent altogether perhaps 3 working days trying to remove stupid thing, there is lot of data and SW installed so I am trying to avoid re-installation. Now I am in sitting-in-the-corner-and-crying phase.
839*929
Wow, you're a cunt. The OP was talking about computers, and you just had to make this personal.
Be that as it may, "Kraken" is a superb name (as is "Damballa" itself.). "Bobic", "Oderoor" and "Bobax" sound like open-source CMSs. "Cotmonger" sounds like a word Bart Simpson would use when suddenly breaking into a unfunny Cockney accent for no reason.
What I'm listening to now on Pandora...
I had a botnet once... didn't catch very many bots, but I got a shitload of dolphins :(
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
cause you are a take it in the as little bitch.
Wouldnt it be possible to log "bot" traffic and systematically, using the same exploits that the bot trojans used to infect the hosts, infect these machines with a virus that removes the bot and deletes itself? Sort of like an anti-bot virus?
Might be a little unethical, but hey drastic times call for drastic measures!
The industry is going at this all wrong. There are only a few players left, and they're all crooks. We need a consortium of companies with spam problems to hire Kroll, Blackwater, or one of the other big international security companies to deal with the people behind the problem.
If 5% of the money spent on dealing with spam went into finding the people behind it and making them go away, the problem would go away.
Need some stats to glue you to that posh office chair you're sitting in? Try the CDC for mortality statistics http://www.cdc.gov/nchs/fastats/deaths.htm and watch how botnets blur into needless crap worthy of Fox News.
On the other hand, you are only hearing about the botnets that are reported! The ones that stay stealthy and only do a little espionage now and then are not reported... say from the USAF Cyber Defense Command!? Since MS et al are so cozy with the NSA these bots probably don't even register with detection software packages.
As stated, watch some port 25 traffic to see if you are spewing spam everywhere. Who knows what port the really nasty botnets are using. No, it's not tin foil I'm wearing on my head!!
Just because you're paranoid does NOT mean they are not out to get you. We've seen cable cuts, military attacks on various other-country establishments, industrial espionage from Israel, Chinese cyber attacks and all manner of oddities on the Internet.
I said it first: Recession will make the Internet more important than it is now. Cyber attackers will mature, and their attacks and goals will change also. Identity theft is peanuts if you can get inside a bank, a federal bank etc.
Think of it... 25 cents per transaction run through a large backend company for Visa? THAT is big money. Doesn't have to be a credit card company either.. just a large institution. Say the billing system of your local electric company gets hacked, and 25 cents per bill is being funneled off to Estonia? If you think it couldn't happen and is not happening, remind yourself how torture in the USA couldn't happen either!
Support NYCountryLawyer RIAA vs People
If all ISPs and businesses would simply block egress tcp port 25 for all addresses on their network except approved mail servers, they would stop these botnets in their tracks.
Of course, the botnets would then be rewritten to try to discover the mail server the PC normally uses and try to use it instead. But is ISPs enforced SMTP authentication to send, it would make it more difficult. Even if the botnets got past all that, it would now be easier to track down exactly who has the infected computer.
Of course many ISPs won't do this because it will make them more directly responsible for preventing spam, preventing viruses, and keeping their customers computers clean.
Another internet tough guy....don't you have some zits to pop?
we're in your networks controlling your logins
Why UNIX?
Once you know the PC is compromised you cannot get it back to a known good state. The best you can hope for with the various utilities is to get it workable enough to offload your data, build your recovery media and record your settings. You're actually better off removing the hdd to an external enclosure and installing fresh on a new one. You could then scan the removable device before carefully recovering the data from it. The worst possible thing you could do is eliminate the visible problems and pretend that means you have a good PC on which to do work.
What is pwned cannot be unpwned. Reinstall. Somewhere in my journal may be some helpful instructions for getting the reinstall done without becoming compromised in the process. You're not the first (or the ten thosandth) person here this has happened to.
Somebody else here will have suggested you try Linux by now, or Apple. There are no Linux or Apple botnets so they don't have this problem. The do have security vulnerabilities too, but compromising one of them is a retail, rather than a wholesale, endeavor and so less fruitful for the botmasters.
Help stamp out iliturcy.
I just block everything incoming on port 25 from IP blocks in the US, apart from a (very small) handful of whitelisted servers.
This thread was all one person.
DRM: Terminator crops for your mind!
Fine them a few hundred bucks per machine. Lazy people who can't or won't keep their machines secure don't deserve to be given access to the internet.
It's like owning a dog. If you don't keep the dog secure, and it runs about able to harm others, you get a fine and potentially lose your right to own a dog.
I realize the logistics are tough, but something needs to be done.
Blar.
i am too!
WHO IS CLICKING ON THE LINKS IN THESE EMAILS?
Why does spam work? Who are these stupid people and why do they click? Also, if you get 80 spam a day for the same fake product, why would pick one at random and say, "der, I think I'll go buy this!"
Can someone please tell me why?
I wish some news reporter would send out a billion spam but then, instead of taking money from the people who click, contact them and do an interview. I want to know who these people are and what the hell they are thinking.
Has anyone thought of writing a worm that just installs a stealth Folding@home client and patches the machine up?
If a million clueless consumers are going to buy more megahertz of Dells than they know how to use, we might as well use their stolen CPU cycles to cure diseases rather than impotence.
DRM: Terminator crops for your mind!
Ahh! How I wish you'd posted this under your real ID! I'd love to track the mod war!
"Flyin' in just a sweet place,
Never been known to fail..."
Regardless of platform, most users
1) Run as root, administrator, or some other super-trusted user account and completely disregard security
2) Open anything they receive in email. I've even had some users do a Save-As giving the file the correct extension to be runnable!
These are a result of fundamental flaws in the design of Windows, Unix, et al. Most operating systems assume that all programs should have the ability to do whatever the user can do. In other words, programs are as trusted as the user account they run under.
Given people's experiences with OS X's admin dialogs or Vista's UAC, I'm not sure changing this assumption will lead to more security either. Most users, when presented with a dialog box, will immediately press whatever button is required to dismiss the dialog without reading it.
Even if the default is cancel, the first time they hit "naked ladies.jpg.exe", get a warning, and dismiss it they'll just figure they did something wrong and open it again, choosing the other option this time.
I'm not sure what the solution is.
Natural != (nontoxic || beneficial)
Under one distribution and one sole source, I am not going switch out IIS anytime soon.
Thanks. I will stick with what I know since the 90's. If you are smart and know the stuff well, Windows are just acting like FOSS anyway.
"i am too!"
That's "I am two!"
"Flyin' in just a sweet place,
Never been known to fail..."
I spent altogether perhaps 3 working days trying to remove stupid thing
Those programs are so complex, so woven in the fabric of Windows, I've never seen a repair work. You have to reformat the drive...not just reformat, but blow away the partitions and recreate them, then reinstal Windows, plus scanning the data files recovered with Knoppix.
Even then I won't warranty it. The hackers you're up against today are organized, professional programmers making big $$$ who do this for a living, not some 15 year old hack. They even know how to subvert security and anti-virus programs.
I'm not belittling you or anyone else when I suggest you may be a bit out of your league. Partition, reformat, reinstall.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
There are a good chart mapping current botnets and spam at Marshall TRACE center (updated frequently afaik). That over 80% of all internet spam comes from botnets (and almost 50% of it just from srizbi) is a good sample of what is the impact of this kind of spam sources.
Bull.
I have a legitimate right to send SMTP from my machine - and I do so. I also run an SMTP server at home - have since 1993, when I got off of uucp.
I have never been an open relay, and access is passwd. I already have assholes at AT&T blacklisting me for no reason - and suffering their ridiculous petition process to get off their RBL.
This is the Internet. A collection of networks. ISPs are not cops, nor should they be. When you mandate this on common carriers, they become something else - and any slim protections we still have remaining will be long gone.
"Flyin' in just a sweet place,
Never been known to fail..."
Gotta love how these articles always say "a million machines" rather than the clearer and more accurate "a million microsoft windows PCs"...
So, each of those million machines sends out 100,000 messages per day on average. Thus, if you require any machine that sends out over, say, 10,000 messages per day to be registered, and to be held to a minimum standard of security (machines not registered would be kicked off the network as soon as they reached 10,001 messages in a single day, and would not be allowed back on until registered and secured), the spam problem would be reduced by around 90%, at least from these botnets.
Okay, so it would require too much regulation to work, and it would take a lot of effort to establish. But it's okay to dream, right?
Everything is subjective.
In the last two months I have seen a huge increase of spam from distributed locations around the world and I get them in bursts at irregular times. The new junk is the backscatter spam that they send to other people, existing or not, and resultant rejections if they don't existing gets bounced to us. I think that burst of spam is bots controllers telling their slaves to send out spam simultaneously thus the resulting spam burst on my system.
If someone can find the most of bot controllers and then "cleans" those slave systems so there are less of them so we can have some peace. I'm not advocating killing them like the Russian Mafia:
http://it.slashdot.org/article.pl?sid=07/10/11/2157244
but torture them until they relinquish the password to their system so we can find out where the slave systems are. I have no problem sending them to some gulag in some God forsaken former Communist country have them beaten the living daylights out of them.
...and so-called security experts tells us to throw away our anti-virus software because they are obsolete, imagine what will happen to the Internet if everyone started doing that. The bottom line is, at least protect your PC against the known threats, we don't want 4-year old worms pumping out spam from every possible machine on the Internet.
www.cybertopcops.com
Except that Windows has you run as administrator so malware can do damage to the O.S. where as Mac and Linux run as a user so malware can only damage the user account. Malware rates might be the same with a similar user base but the damage done would still be vastly different.
Tired of all the isms, don't exploit people as an employer, or a government, mmmmK?
There has to be some attempt at control. Obviously too much control is a bad thing, but no control is just as bad. Anarchy doesn't work as a government, why would it work on the internet?
I do not agree with blocking port 25 traffic and only allowing designated SMTP servers, but I do believe it is the ISP's and the end user's responsibility to make sure infected machines are handled in a quick and effective manor. The ISP should monitor their network for this type of activity and contact the end user so that the problem can be addressed. If the problem isn't addressed, the end user's computer doesn't need to be on the internet.
I don't want to hear that crap about "it's my computer I can do what I want" either. You're not allowed to drive on the sidewalk just because it's your car.
Shut down all botnets. Problem solved.
So what happened to Kraken being the largest botnet with an estimated 400k bots?
My ISP has an optional firewall with quite a few settings, including "block outgoing port 25 to any system besides our mail servers". The option can be changed easily through the user control panel, and defaults to one of the more secure settings.
Best way of doing it that I've seen yet.
Breaking Into the Industry - A development log about starting a game studio.
I'm a smart software developer, so I'm pretty sure my computer is not affected (secured hardware firewall, etc). But how can I be sure?
You can never be SURE. You can just be reasonably confident. Some particularly hard cases...
- Rootkits corrupt the very pieces of the OS and utilities that you'd use to detect them, to hide the presence of their components. (Also they can corrupt any antivirus tools they know about.)
- Virtualization allows things like "Blue Pill" to create a virtual environment where the malware is running in the virtualization server and nothing is visible in the virtual machine except maybe some odd delays.
- RAM-only infections can vanish completely at reboot - requiring a reinfection to researt and leaving no trace (unless they plant a restarter trojan somewhere on the system.)
Regarding rootkits: One thing you can do to detect them is to compare what the filesystem shows when the system is running to what it shows when a clean system is viewing it from a live CD. Tools based on this principle are available, to look for files that are "invisible" when the compromised system is running and for those that present different contents from what they should contain - or did contain at setup.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I don't know where this clown get his info about a 300k strong botnet. As an irc oper the largest *SINGLE* botnet that I've seen so far in terms of total pwned hosts being controlled at once is the equivalent to an ENTIRE /11. Get real people, most of you have NFI how bad it really is.
... and use them to force install all relevant windows 95 / winnt / linux / vista / osx / amiga / c64 / vic20 etc security updates.
(Ok, some of the latter ones might be fictional, but who knows.)
And when that's done, force the users to read a 10 minute introduction to how not to be a clueless n00b on da internetz --- the anti botnet software will only give the OS or what passes for it back, and remove every single trace of itself as the last step if the user successfully completes a multi choice quiz or something to that effect.
Now that'd be kind of cool.
ISO certified == THX certified
A friend of mine is investigating an interesting approach to spam.
From this article it quite clear that chasing the source of the spam is quite pointless.
His research is into tracking the destination.
Spams only make sense if they can make some money from it. This means the payload(content) must lead
someplace with a URL to order, a URL with adds, or a phone number for orders.
His blog is at:
http://spamdirect.blogspot.com/
I have to push him to post some of the more interesting stuff he has discussed in E-Mails with me.
One very odd note.
My domain unmailable.com get's no spam!
without any filters and addresses even posted publicly there is just no spam to it.
I think they must remove any mail reference to unmailable assuming it must not be a real domain.
I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso
I have a legitimate right to send SMTP from my machine - and I do so. I also run an SMTP server at home, have since 1993, when I got off of uucp.
Really? Read your terms of service lately on that home account? I'll bet servers are banned.
Theremite burns way too hot and fast! You want the malware to die slowly and painfully, thus gasoline. Duh!
Apple's are less likely to be targeted because their users are more observant. They know how to use their operating system and try to get the most out of it. Performance detiorating is going to cause notice. Microsoft users are smart and savvy as well, but not all of them. Alot of them are just used to the Microsoft way of doing things. They are never going to try an Apple or flavor of Linux. These users are the people the botnet makers are after. They are unlikely to do anything when they lose performance. Instead they'll keep signing on to check their email and use yahoo messenger. If they download a game and the exe is infected they are going to allow that port through and they are probably never going to remove it. If anyone removes it for them it's likely to be Best Buy or some kid that stops by to use it. You can blame Microsoft for convincing people that the Microsoft way of doing things is the simplest, and for giving out free software in schools to get people used to it. That's not the answer though. It's what people want. They wanted the simplest device to get online and go which is what the company has provided. Anyone that wants to take the time to dig deeper can easily spot a backdoor.
"I guess I'm gonna fade into Bolivian."
And especially, show me the law and/or contract you have which states you have right to send the SMTP to any other machine beside your ISPs SMTP server.
I sincerely hope you stay blacklisted.
Show me the law that says I don't.
"Flyin' in just a sweet place,
Never been known to fail..."
I call bull. Blocking egress tcp port 25 at the border routers accept for approved smtp servers does not prevent you from running your own smtp server. You just use one of the approved smtp servers on your network to relay your mail.
I'm tired of hearing hobbyists insisting that they should have all the access, bandwidth, and privileges of a commercial grade internet account, but only pay a consumer grade price. You want all that power, learn to pay for it just like real business users do. You don't get to play mini-ISP for fun at everyone else's expense.
You don't have an MX (DNS) record for your domain!
Without designating where the mail should go, you won't get much (if any).
Mail servers *do not* use ordinary "A" type DNS records for email!
Are you even running a SMTP server? It doesn't look like it...
So we apparently agree: the ISP has a right to stop your SMTP.
A recent experience demonstrated to me a salutary lesson in how this works.
I would consider myself pretty savvy in respect of spam/viruses etc, but recently I started working on a blog - and I'm sure as you all know there are blog spams out there. Well I didn't know that - why would I?! It's not something I had any dealings with - and you never see them on other blogs, because they get moderated out.
Now, I'm get 2-3 of these things a day and I just mark them as spam, no problem. But I have to say the first one had me good. It was a very vague comment on the blog, and I'm trying to promote my site from a marketing point of view. If someone seems unclear - standard marketing insists that you clarify the situation for them. And this appealed to my sense of "Cool! Someone's interested in my blog" - another victim of human frailty.
Now, I was tempted to reply to their e-mail address - but I didn't and replied through the comments on the site instead. Thing is though, the reason I didn't reply was not because I was worried about the malware effects but because I wasn't too sure what the procedure for dealing with comments was and I didn't want to offend my potential new customer and/or look stupid.
So alls I'm saying, it's people who are novices in areas (as everyone is at some stage) who click on these things. And given that there are 100s of millions of new PCs sold annually, literally there is one born every minute, or more accurately every second.
Genesis 1:32 And God typed
Yes there's some Macs in there, but it's their Boot Camp Windows partition that's compromised. :p
Point one: That's not an example of "hacking/being hacked". That's an example of a virus that relies heavily on end-user stupidity. I.e., executing a file with elevated permissions.
Point two: It's not a prevalent exploit, with Symantec estimating that there have been fewer than 49 infections over the past six years.
We have a lot of programs written by people who simply do not understand security issues. Windows, for example,I couldn't agree more! Oh, okay, I did get clever when snipping that quote, but more seriously, Windows was clearly written by people who were not terribly concerned or competent when it came to building a multiuser, network OS. The preponderance of exploits that take advantage of remote, privilege-escalation, and auto-execution exploits in Windows and the Microsoft applications that come bundled with it underscore this point. Name a single Linux remote exploit, patched or not. Name a single Linux privilege-escalation exploit. Or a single auto-execution one of the sort that had Outlook Express automatically installing malware if a user just received an email with a malicious payload.
You just can't hope for a sturdy structure if you're building on a crumbling foundation. Security incompetence can bring down the sturdiest structures, but it takes far more than "just not being completely incompetent" to secure a structure that could be blown down in a breeze because it's so shoddy.
I don't get your post. We still have amateur engineers working in their garages all over the world. Yet, we require PE certification if you want to design/build a bridge for the government.
They aren't mutually exclusive, ya know. (and yes, I realize MSFT *could* make the mutually exclusive....but it doesn't HAVE to be that way by default)
Just like other engineering disciplines, programming will have many different "levels" of competence. Some folks will be amateurs. Others will "know enough to be dangerous". And still others will know it inside and out. The idea is that the marketplace needs a way to differentiate between those groups. Right now, there is 1 group: programmers.
Some are good. Most are bad.
Question: Is there a blackhole list maintained for malware infected IP addresses? (Maybe not, since so many are on dynamic IPs at DSL providers).
If a national police agency (maybe with the support or assistance of the NATO cyberwarfare group) were to compile a list of IPs, times, and associated network providers whom are known to be infected (and the associated evidence), is there no rule of law that could be used to ask a court for an order to force the ISPs to shut down the accounts of the individuals with the infected computers?
I mention NATO and/or Interpol because obviously it needs to be done in as many countries as once.
Yeah yeah, I don't want a police state. But clearly what's currently being done is NOT working well enough.
"But how can I be sure?... What's the best way to make this determination? " - by AdamTrace (255409) on Thursday April 10, @04:08PM (#23029008) ----
Apply this set of tips/tricks/techniques:
HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, + make it "FUN" to do, via CIS Tool Guidance:
http://www.xtremepccentral.com/forums/showthread.php?s=7db26233eff936a1672d537f6bc29b8c&t=28430
Also - Simply by doing what is noted there?
YES, you can even run as ROOT/ADMINISTRATOR user, & NOT get "bushwhacked" online!
E.G. -> I have been doing this very set of things noted in the URL below, & have been running this very same setup since late 2002 + RUNNING AS ADMINISTRATOR USER no less (& NO BUGS etc. et al)
(And, yes, it REALLY truly works... IF you use its suggestions + a bit of "common-sense" online, today!)
APK
P.S.=> From one developer, to another... for roughly 2 hrs. of your time using CIS Tool & the other suggestions I noted there in that URL above? You'll get back YEARS OF SECURE UPTIME, on a Microsoft Windows NT-based OS of modern nature... apk